openbsd ppooe and qwest dsl
Monday, June 1. 2009
i thought i'd do a quick write up of my qwest dsl setup. i have a /29 (8 ip) static ip block from qwest and also a local network that sits behind nat. i started using this setup initially because the pppoe on my (old) alcatel modem was pretty unreliable requiring a power cycle every week or so. openbsd's pppoe has proven much more reliable (i've gone 5 months) but it also adds two other big benefits. it gives you one more ip address (what would normally be wasted on your dsl modem is now used by your openbsd box) and most importantly you can use pf to do your firewall.
em0 wired crossover to the dsl modem (assumes modem is 192.168.0.1 which is what qwest tends to use -- this allows you to get to the configuration webpage of the modem from the gateway machine if you need to). /etc/hostname.em0 follows:
hardware
any box with 3 nics (i'm using a lex twister from hacom.net with 4 gigabit nics em0-em3) and a dsl modem that can be placed into transparent bridging mode (i'm using a motorola 3347, most likely any modem qwest deploys -- i've used several others).interfaces
em0 wired crossover to the dsl modem (assumes modem is 192.168.0.1 which is what qwest tends to use -- this allows you to get to the configuration webpage of the modem from the gateway machine if you need to). /etc/hostname.em0 follows:
inet 192.168.0.2 255.255.255.0
em1
internal nat'd subnet (not publicly routed, eg, 10.0.1.0/24). hang any machines you want to access behind nat behind here. /etc/hostname.em1 follows:
inet 10.0.1.1 255.255.255.0 10.0.1.255 group trusted
em3
internet-routable subnet (static ip block, eg, 75.160.178.8/29). hang any machines you want to use an ip from your qwest static ip block behind here. /etc/hostname.em3 follows:
inet 75.160.178.14 255.255.255.248
pppoe0
the actual pppoe connection through the dsl modem. the modem must be in transparent bridge mode for this work. /etc/hostname.pppoe0 follows:
inet 0.0.0.0 255.255.255.248 NONE pppoedev em0 authproto pap authname 'username' authkey 'password' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
bridge0
bridge the pppoe connection with the publicly addressable interface. /etc/bridgename.bridge0 follows:
add em3
up
pf.conf
ext = "pppoe0"
OPEN_TCP = "{ auth, https, smtp, submission, www }"
OPEN_ICMP = "{ echorep, echoreq, timex, unreach }"
scrub in all
# this fixes weird behaviour w/ some webservers and dsl.
scrub out on $ext max-mss 1452
# redirect
# nat
nat on $ext inet from { trusted:network } to any -> $ext
# external
antispoof log for $ext
block in log on $ext
# allow pings to any of our static block ips
pass in quick on $ext inet proto icmp icmp-type $OPEN_ICMP
# allow connections to port $OPEN_TCP on the gateway machine (only)
pass in quick on $ext proto tcp from any to $ext port $OPEN_TCP
# allow ssh connections to any of our publicly routed ips.
pass in quick on $ext proto tcp from any to any port ssh
# allow www to our webserver.
pass in quick on $ext proto tcp from any to 75.160.178.10 port { www, https }
pass out quick on $ext
inet 192.168.0.2 255.255.255.0
inet 10.0.1.1 255.255.255.0 10.0.1.255 group trusted
inet 75.160.178.14 255.255.255.248
inet 0.0.0.0 255.255.255.248 NONE pppoedev em0 authproto pap authname 'username' authkey 'password' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
add em3
up
ext = "pppoe0"
OPEN_TCP = "{ auth, https, smtp, submission, www }"
OPEN_ICMP = "{ echorep, echoreq, timex, unreach }"
scrub in all
# this fixes weird behaviour w/ some webservers and dsl.
scrub out on $ext max-mss 1452
# redirect
# nat
nat on $ext inet from { trusted:network } to any -> $ext
# external
antispoof log for $ext
block in log on $ext
# allow pings to any of our static block ips
pass in quick on $ext inet proto icmp icmp-type $OPEN_ICMP
# allow connections to port $OPEN_TCP on the gateway machine (only)
pass in quick on $ext proto tcp from any to $ext port $OPEN_TCP
# allow ssh connections to any of our publicly routed ips.
pass in quick on $ext proto tcp from any to any port ssh
# allow www to our webserver.
pass in quick on $ext proto tcp from any to 75.160.178.10 port { www, https }
pass out quick on $ext
